Comment on global shortcuts security

Piotr Rak piotr.rak at gmail.com
Mon Sep 24 16:46:37 PDT 2012


Hi,

Although I am not security expert, I'd like to share my input into
this topic, so putting on my black hat...

It is probably not great discovery, but I believe that minimal
requirement for given combination of keys, to be allowed as global
shortcut is that is not printable and not whitespace given currently
selected keyboard layout. Such combination should never be delivered
to application, that doesn't have active keyboard focus.

Two major reasons of that:

  - security: reason is rather trivial, those may contain data, that
can be considered sensitive, like credit card number password, or
whatever. I can't imagine other sequences be consider sensitive
(beside SAK which is special in its way).
- usability: I really wouldn't be happy, if some app *steals*
character that I type in does something fancy, changing my online
presence to available any time I type in AltGr+A - ("a with ogonek" in
polish programmer's layout) for example...

It seems impossible ban key sequences for all possible keyboard layout
configs, considering that it's not that hard write own, so it seems
wise do this check at runtime.
I don't think that user will be very surprised by fact that shortcut
being dropped silently with changed layout. They may be, but for sure
not while typing url, texting, or editing text...

It also doesn't sound that terribly complicated to put words in code
(given XKB shares enough info, and decent enough isprint for unicode
is somewhere out there, which I haven't checked).

I don't see possible attack vector in allowing applications to check
if given sequence is available for them now or notification about
layout change, but possibly I am not creative enough.

@Semantic approach idea suggested during XDC "Security":

It sounds interesting, but it seems to be still leaving at least minor
attack vector, unless above requirement is met too.

Let's imagine that compositor Y becomes most popular compositor, or
even better, most of compositors use some library for their semantic
binding handling. It (compositor or library) is shipped usable enough
configuration for keys and their actions - (that's ofc one of reasons
that it is so popular :->). Now, most users or distros developers
won't be tempted to change this config - people are lazy, and that's
why civilization can progress at all :).
If I want sniff their input - I have knowledge what this semantic word
use for sniffing given sequence, using knowledge of default
configuration.

That's just tiny bit harder, won't work  in 100%, but hey, I am not
that greedy - just few passwords will do just fine;  I don't have to
get them all, right? Bah, even parts of passwords can be helpful, and
cut loads of work I imagine.

What would make that potential attack even sweeter - *flaw* is shipped
by default. :-)

Cheers,
/Piotr


More information about the wayland-devel mailing list